Escape form value.

Even though this is a numeric field, this isn't enforced until the form is submitted.
horde · Dec 14, 2015 · 11d74fa · 11d74fa
1 parent 8ecffa1
commit 11d74fa
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/framework/Core/lib/Horde/Core/Ui/VarRenderer/Html.php b/framework/Core/lib/Horde/Core/Ui/VarRenderer/Html.php
@@ -48,7 +48,7 @@ protected function _renderVarInput_number($form, &$var, &$vars)
         return sprintf('<input type="text" size="5" name="%s" id="%s" value="%s"%s />',
                        htmlspecialchars($var->getVarName()),
                        $this->_genID($var->getVarName(), false),
-                       $value,
+                       htmlspecialchars($value),
                        $this->_getActionScripts($form, $var)
                );
     }